zero-days

Adobe Systems released an emergency security update today that addresses a trio of vulnerabilities in Flash, two of which the company said were already being exploited by hackers.

Today's surprise update -- the company's third for the browser plug-in this month -- patches holes "that could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in a security bulletin.

"Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which … Read more

A zero-day security flaw in Adobe Reader and Acrobat is being exploited through a series of targeted attacks against vulnerable computers, Adobe Systems said yesterday.

In a security bulletin, Adobe confirmed that the vulnerabilities could cause Reader and Acrobat to crash, potentially opening the door for an attacker to gain control of the system.

"Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message," the company revealed in the bulletin.

Adobe said it's … Read more

Adobe issued an emergency update to its Flash Player to fix two zero-day threats, the company announced yesterday. The updates affect all versions of Flash on Windows, Mac, Linux, and Android.

The vulnerabilities currently are being exploited "in the wild," says Adobe's blog on the patches. According to the Kaspersky ThreatPost blog on the pair of zero-days, one attack targets "aerospace and other manufacturing companies" by tricking people into opening a Microsoft Word document with malicious Flash content embedded in it. The second zero-day targets Firefox and Safari on Mac OS X by tricking you … Read more

Microsoft will fix a zero-day hole in IE today almost a week after this month's regular Patch Tuesday updates.

Discovered late last month, the vulnerability could allow attackers to gain control of a Windows computer running one of the older versions of IE by directing users to malicious Web sites. In response, Microsoft had suggested several workarounds and even offered a "one-click fix" designed to mitigate the problem, but those were considered temporary solutions.

Today's update will fully resolve the issue, according to Microsoft. Scheduled for rollout at 10 a.m. PT, the fix will be … Read more

Security researchers have spotted a new vulnerability in the widely used Java software that could give attackers access to your computer.

The US-CERT group today issued an alert saying that Java 7 Update 10 and earlier versions of the software contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code. The attack can be induced if someone visits a Web site that's been set up with malicious code to take advantage of the hole.

This weak spot is already being attacked "in the wild" -- that is, it's a real-world threat … Read more

Microsoft's regular Patch Tuesday rolls around next week. But one flaw that won't be fixed in the mix is the latest zero-day exploit in Internet Explorer.

Last Saturday, Microsoft warned about the zero-day flaw in IE 6, 7, and 8 that could allow attackers to gain control of Windows computers to host malicious Web sites. In its advisory, the company noted that IE 9 and 10 are unaffected by the vulnerability and suggested a variety of workarounds to those running the older browser versions.

On Monday, the company issued a temporary fix that prevents the flaw from being … Read more

Microsoft issued a fix today for a zero-day vulnerability in older versions of Internet Explorer that could allow attackers to gain control of Windows-based computers to host malicious Web sites.

The company confirmed Saturday that it was investigating a remote code execution vulnerability in IE 6, IE 7, and IE 8 that could allow an attacker to use the corrupted PC to host a Web site designed to exploit the vulnerability with other users. Versions of the browser after IE 8 are unaffected, Microsoft said.

Microsoft said in an update to that security advisory that it has developed a one-click fix … Read more

Microsoft has confirmed that a zero-day vulnerability affecting older versions of Internet Explorer could allow attackers to gain control of Windows-based computers to host malicious Web sites.

The company acknowledged the issue in a security advisory yesterday that included advice on how users can mitigate the threat posed by the flaw.

"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8," Microsoft said, noting that more recent versions of the Web browser, including IE 9 and IE 10, were unaffected.

The remote code execution vulnerability affects the way the browser accesses memory, … Read more

It's just a proof of concept for now, but a newly revealed Java vulnerability could have very widespread repercussions.

Security research company Security Explorations has issued a description of a new critical security flaw in Java SE 5 build 1.5.0_22-b03, Java SE 6 build 1.6.0_35-b10, and the latest Java SE 7 build 1.7.0_07-b10. This error is caused by a discrepancy with how the Java virtual machine handles defined data types (a type-safety error) and in doing so violates a fundamental security constraint in the Java runtime, allowing a complete bypass of the Java … Read more